On 11. 12. 23 1:04, Wietse Venema via Postfix-users wrote:
Confirmed. A premiminary fix is below. This will prepend the Received-SPF from the policy service after the Postfix-generated Received: header and before the received message. With this fix, a Milter can replace a PREMENDed Received-SPF: header as one would expect. This change is a bit invasive as it changes the message layout, which is not needed if a configuration does not use Milters.
Will this not cause breakages in other programs though? With the current behaviour, you can easily determine that a header was added by some local (own) program and consider it trustworthy. Any header below own Received: is controlled by the sender and can contain fake information.
SpamAssasin comes to mind as an example. I would need to re-check but I think it only considers Received-SPF to be trustworthy, if it's above own Received header (trusted/internal network relays come into play here but let's stick with the simple case)
Example for current behaviour: Received-SPF: Pass *<-- only we could've add this* Received: from some.server by this.server With the new one: Received: from some.server by this.server Received-SPF: Pass *<-- did scammer add it or did we?* _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
